Overview

overview

8

Static

static

ca9f1d4317...ff.exe

windows7-x64

8

ca9f1d4317...ff.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    155s
  • max time network
    173s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2022, 21:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe

  • Size

    606KB

  • MD5

    6223351a6eec39b6e61748127ce4f210

  • SHA1

    eee9ef6dd77a45f020bba75140089c047d230367

  • SHA256

    ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff

  • SHA512

    d388969d8fc4a2cb9474b71d3307d16f93547b9362b91d65dc9deb9ad7d366e113548b54ee01bbe68c24b907a6d9771ae3962272818117b40d44b65dd6045568

  • SSDEEP

    12288:4QbE677XH+UAzrk3V58Jpvr3tZKM8+7b5MpSpvo:f3+UAzrk3oJpBZx8+P6pp

Score
8/10
discoveryevasionspywarestealertrojan

Malware Config

Signatures

  • Disables taskbar notifications via registry modification
    evasion
  • Executes dropped EXE 8 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops Chrome extension 1 IoCs
  • Enumerates connected drives 3 TTPs 26 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 58 IoCs
  • Drops file in Program Files directory 29 IoCs
  • Drops file in Windows directory 6 IoCs
  • Program crash 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe
    "C:\Users\Admin\AppData\Local\Temp\ca9f1d43178c941f271d1fdb4e75c7be19a1a6a9f78d34c855eacc9191b874ff.exe"
    1⤵
    • Drops Chrome extension
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:2356
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2356 -s 940
      2⤵
      • Program crash
      PID:448
  • C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
    "C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
    1⤵
    • Executes dropped EXE
    PID:5076
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 5076 -s 392
      2⤵
      • Program crash
      PID:1340
  • C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -pss -s 424 -p 5076 -ip 5076
    1⤵
      PID:5116
    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:4516
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 4516 -s 116
        2⤵
        • Program crash
        PID:2024
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -pss -s 560 -p 4516 -ip 4516
      1⤵
        PID:2908
      • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
        "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
        1⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        PID:652
      • \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
        "c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
        1⤵
        • Executes dropped EXE
        • Windows security modification
        • Enumerates connected drives
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • System policy modification
        PID:4924
      • C:\Windows\System32\OpenSSH\ssh-agent.exe
        C:\Windows\System32\OpenSSH\ssh-agent.exe
        1⤵
        • Executes dropped EXE
        PID:2268
      • C:\Windows\system32\AgentService.exe
        C:\Windows\system32\AgentService.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4536
      • C:\Windows\system32\wbengine.exe
        "C:\Windows\system32\wbengine.exe"
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:748
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -pss -s 596 -p 2356 -ip 2356
        1⤵
          PID:2216
        • C:\Windows\servicing\TrustedInstaller.exe
          C:\Windows\servicing\TrustedInstaller.exe
          1⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          PID:4008

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
          Filesize

          2.1MB

          MD5

          febcf6b8e312ebfbe75125970d605c6e

          SHA1

          6fd8114daccea9ea7515ad27897e42562fe70180

          SHA256

          ac3929c8c2ff49e9ec2b98e78e99205f138b25244333dfc31328248b7da4d85a

          SHA512

          7857beaac33c0ff7f3fc6be53b17b36c42f522b66f47b9e46c3ef14055ee5b11ebc86d05ceff95f5d84dd083009f762b38a623b2bcde08426b59c6d94121a570

          Download Submit

        • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
          Filesize

          808KB

          MD5

          8e0a6891c0f6097e1b900f7058034743

          SHA1

          5bcb44efc1880cc9de5504155cdfa71b8132de5a

          SHA256

          48d2c51652662973e6a951a8de63e38fca1687a28ab1b6fd2a3106d09991fe97

          SHA512

          afe2f379dcb47fda61ab0b6211f40eaa0b7fa583e157ac04a84fc0d9fc279f12697fa27193c8ec164869b33835ade5636ee2b30cb418834633c6ad0c417c7f8b

          Download Submit

        • C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
          Filesize

          817KB

          MD5

          ca930dd1b726d24261ee3ac5b531f755

          SHA1

          b49768a847467b77b83b39a3594a022b98d3a841

          SHA256

          71d9d65b7056411042330d8de1517ecd24c1b0366b0b2b4e85b57a524ea8343e

          SHA512

          bbd6e7c765a21ae497d323337ee07a6ddbdb0d8679e742f2adbdff90f6a8af21af5c8a7568edaacbea6eec68640f5a1404b0ed673ae7fb79bef959e1e834aee1

          Download Submit

        • C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
          Filesize

          2.0MB

          MD5

          4f16531c7c7a0813ea1bcb39dc07a7ff

          SHA1

          a1d1ac544ed61bf759249ca3d0de2c17f8139873

          SHA256

          037db0e182c376205096d9d6bf383aa84985919d9571ad4da2d265fc6a2930a6

          SHA512

          1884127d1a24f3b78978a6c9ec36eff0ddbd004a22e1dbc808137ddbf3a3c7d254ec6c1893c00550e7ede1ca610aaa163a6e65f5b2a869285e9606e9311cd4ba

          Download Submit

        • C:\Windows\System32\AgentService.exe
          Filesize

          1.7MB

          MD5

          d436d78fcfc73c2a00cd7111430b5eaf

          SHA1

          915af3507f059d1d02ae9557d2c4f431b1089b9a

          SHA256

          8d2bf467c1f68f97bfe14434249e3858947707c99f9c1c552d8c2b497a1cde58

          SHA512

          2afce854482670e065df1b27ec341182b85725f929ca48621daf568c9d52b74eb17c1a73ab1f4c20e5edb13f220752b559265f4f1aeceb1492a259f3796033bd

          Download Submit

        • C:\Windows\System32\OpenSSH\ssh-agent.exe
          Filesize

          952KB

          MD5

          e8ef6103455c7001d07e0173c8e8388c

          SHA1

          1df59110880abf4615846d83108c35b64c7219d5

          SHA256

          9fdb819444e6fbe58a17cde310ab45e82404c34568308c090c8aae6fcaffeab2

          SHA512

          af4427b18b15abcd9858d170a51caa31bbb36d0bd368244e577885f7f40bc7d28bbbadaa510db942e24fa7bbe877d1a636ce8d700c709775d383a992f6d82c3b

          Download Submit

        • C:\Windows\System32\OpenSSH\ssh-agent.exe
          Filesize

          952KB

          MD5

          e8ef6103455c7001d07e0173c8e8388c

          SHA1

          1df59110880abf4615846d83108c35b64c7219d5

          SHA256

          9fdb819444e6fbe58a17cde310ab45e82404c34568308c090c8aae6fcaffeab2

          SHA512

          af4427b18b15abcd9858d170a51caa31bbb36d0bd368244e577885f7f40bc7d28bbbadaa510db942e24fa7bbe877d1a636ce8d700c709775d383a992f6d82c3b

          Download Submit

        • C:\Windows\System32\wbengine.exe
          Filesize

          2.1MB

          MD5

          858e1228c3cb416636e51f2b5901fa95

          SHA1

          3209168a9efc73106a52741063dd9574903aef03

          SHA256

          54de84c8b6dbc865c8b3f89e7c6c010c0a948f767035cf8814c0ff88e60bc42a

          SHA512

          d906e668ae2d64b5e7b18be1970509270e4f3cb77657b33fdf40203d082d5ba8d35617e3becd76c67c98d4cf8e3529e432088aa4a297c1b958aee6e9f7c631c4

          Download Submit

        • C:\Windows\servicing\TrustedInstaller.exe
          Filesize

          193KB

          MD5

          805418acd5280e97074bdadca4d95195

          SHA1

          a69e4f03d775a7a0cc5ed2d5569cbfbb4d31d2d6

          SHA256

          73684e31ad4afe3fdc525b51ccaacc14d402c92db9c42e3fcbfe1e65524b1c01

          SHA512

          630a255950c0ae0983ae907d20326adea36ce262c7784428a0811b04726849c929bc9cea338a89e77447a6cec30b0889694158327c002566d3cf5be2bb88e4de

          Download Submit

        • \??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe
          Filesize

          2.1MB

          MD5

          febcf6b8e312ebfbe75125970d605c6e

          SHA1

          6fd8114daccea9ea7515ad27897e42562fe70180

          SHA256

          ac3929c8c2ff49e9ec2b98e78e99205f138b25244333dfc31328248b7da4d85a

          SHA512

          7857beaac33c0ff7f3fc6be53b17b36c42f522b66f47b9e46c3ef14055ee5b11ebc86d05ceff95f5d84dd083009f762b38a623b2bcde08426b59c6d94121a570

          Download Submit

        • \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe
          Filesize

          808KB

          MD5

          8e0a6891c0f6097e1b900f7058034743

          SHA1

          5bcb44efc1880cc9de5504155cdfa71b8132de5a

          SHA256

          48d2c51652662973e6a951a8de63e38fca1687a28ab1b6fd2a3106d09991fe97

          SHA512

          afe2f379dcb47fda61ab0b6211f40eaa0b7fa583e157ac04a84fc0d9fc279f12697fa27193c8ec164869b33835ade5636ee2b30cb418834633c6ad0c417c7f8b

          Download Submit

        • \??\c:\program files\google\chrome\Application\89.0.4389.114\elevation_service.exe
          Filesize

          2.0MB

          MD5

          4f16531c7c7a0813ea1bcb39dc07a7ff

          SHA1

          a1d1ac544ed61bf759249ca3d0de2c17f8139873

          SHA256

          037db0e182c376205096d9d6bf383aa84985919d9571ad4da2d265fc6a2930a6

          SHA512

          1884127d1a24f3b78978a6c9ec36eff0ddbd004a22e1dbc808137ddbf3a3c7d254ec6c1893c00550e7ede1ca610aaa163a6e65f5b2a869285e9606e9311cd4ba

          Download Submit

        • \??\c:\program files\windows media player\wmpnetwk.exe
          Filesize

          1.5MB

          MD5

          918e1b5a13122e6e93f9cb2ddec8eb71

          SHA1

          9b970bec7f76e31ff3b9b6b6e3644b0227c291bc

          SHA256

          e66a9ea7081f50c573f56c5e8dcf95a3ce8b40b61719b8dccf9f549a9e2c0f74

          SHA512

          376041b4e5a945beae6ab8c7a186f70c3362c7f5076de2d095b7b65e7ce1264e3b7c03f9fc1280fef5c8b57022ec4933482db4aec777d1827f72e7531a3bc628

          Download Submit

        • \??\c:\windows\system32\Agentservice.exe
          Filesize

          1.7MB

          MD5

          d436d78fcfc73c2a00cd7111430b5eaf

          SHA1

          915af3507f059d1d02ae9557d2c4f431b1089b9a

          SHA256

          8d2bf467c1f68f97bfe14434249e3858947707c99f9c1c552d8c2b497a1cde58

          SHA512

          2afce854482670e065df1b27ec341182b85725f929ca48621daf568c9d52b74eb17c1a73ab1f4c20e5edb13f220752b559265f4f1aeceb1492a259f3796033bd

          Download Submit

        • \??\c:\windows\system32\Appvclient.exe
          Filesize

          1.3MB

          MD5

          2014e040162289fc2f0c633cfc05d42a

          SHA1

          56d395d147bc0a4939bd2d39ed77ae6e143e90d2

          SHA256

          7a405909dd0f0bc9bea41930ffb69a9966a1359783a684e93d7e06aa23f2e69d

          SHA512

          09abaa0be9ad6099a174a5877e8dc5b14a5ebd6e80f49b45be156da4e19ff0ca75cf224be92a195bdc4dc7a33baba120cd882276fae6aa66614a3766e2093217

          Download Submit

        • \??\c:\windows\system32\fxssvc.exe
          Filesize

          1.2MB

          MD5

          4c70519170defd45e30633bf3992f6ee

          SHA1

          4ae85b41091bedc4a1b9026e6d6697df6474c52c

          SHA256

          2ec45b1387941e5306dd354773bd323a8cd2111f4cff2e28d5c6a8f8badcc601

          SHA512

          61ad72c4a9cce98f8b007ff819adb470bc28a07bbda6b38230973f46afec47f107f84486259288e30f2f3127000309adf7cc02819636dc6751fd93e13c03f56e

          Download Submit

        • \??\c:\windows\system32\msdtc.exe
          Filesize

          724KB

          MD5

          6f6ec6b17f6af10593d20066cacccc95

          SHA1

          678d208dbd953974ef8bc6dc8dd1d93ad306dc5f

          SHA256

          cc80f8f9ba367b4ea7c9857a3cd2ddd89e4f131075a9d1a7dcaab0c0dc839794

          SHA512

          320f93332b628d6bfc20583befef5d58807cd5c1e71441e402e077c7371f2eec9f5a6d841018520d3fe943b2df6d11ccfd5b4d2cc6d74bc917532caed7b3e4b0

          Download Submit

        • \??\c:\windows\system32\msiexec.exe
          Filesize

          647KB

          MD5

          500b6d4f2abbf27df96c65d068d89adf

          SHA1

          57ff4972e4bb10b6eb57520604139a7f8eb2c9ee

          SHA256

          c583d0438b53b5765e12e1c3ea27b38a6d95adff11eb4abea604c8dbe0cd01f7

          SHA512

          42e2567f986c827587fe0203a4220a5712928599643a642e0983cf430dbecfe3ba339bfec1fc9d977309e77803cb5ba22492dd2be6f193dc243cdca73dab600f

          Download Submit

        • \??\c:\windows\system32\snmptrap.exe
          Filesize

          596KB

          MD5

          8c3302e8d895e2fbb9181a4c35cd9840

          SHA1

          58ef487f40bc8864066b4c4adea3b04e3f53323d

          SHA256

          6c89624b87dd04fa91b4869ddf7dfb45116ade2fb1fb4fa20f48191a37102c9c

          SHA512

          68ad15ec7b3d244f70a25d70253d6a6bd3518b851ddc85badbdfbf9022fe5b39fd0c4289d31116892ce63dc38fce0f4984cefb3128be8d39bf58a38fe058eb47

          Download Submit

        • memory/652-143-0x0000000140000000-0x0000000140231000-memory.dmp

          Filesize

          2.2MB

          Download

        • memory/652-142-0x0000000140000000-0x0000000140231000-memory.dmp

          Filesize

          2.2MB

          Download

        • memory/748-152-0x0000000140000000-0x0000000140378000-memory.dmp

          Filesize

          3.5MB

          Download

        • memory/748-153-0x0000000140000000-0x0000000140378000-memory.dmp

          Filesize

          3.5MB

          Download

        • memory/748-167-0x0000000140000000-0x0000000140378000-memory.dmp

          Filesize

          3.5MB

          Download

        • memory/2268-148-0x0000000140000000-0x0000000140264000-memory.dmp

          Filesize

          2.4MB

          Download

        • memory/2268-166-0x0000000140000000-0x0000000140264000-memory.dmp

          Filesize

          2.4MB

          Download

        • memory/2356-154-0x0000000100000000-0x000000010028C000-memory.dmp

          Filesize

          2.5MB

          Download

        • memory/2356-132-0x0000000100000000-0x000000010028C000-memory.dmp

          Filesize

          2.5MB

          Download

        • memory/2356-133-0x0000000100000000-0x000000010028C000-memory.dmp

          Filesize

          2.5MB

          Download

        • memory/4516-139-0x0000000140000000-0x000000014038E000-memory.dmp

          Filesize

          3.6MB

          Download

        • memory/4516-138-0x0000000140000000-0x000000014038E000-memory.dmp

          Filesize

          3.6MB

          Download

        • memory/4516-140-0x0000000140000000-0x000000014038E000-memory.dmp

          Filesize

          3.6MB

          Download

        • memory/4536-150-0x0000000140000000-0x0000000140322000-memory.dmp

          Filesize

          3.1MB

          Download

        • memory/4924-165-0x0000000140000000-0x0000000140231000-memory.dmp

          Filesize

          2.2MB

          Download

        • memory/4924-145-0x0000000140000000-0x0000000140231000-memory.dmp

          Filesize

          2.2MB

          Download

        • memory/5076-136-0x0000000140000000-0x0000000140370000-memory.dmp

          Filesize

          3.4MB

          Download

        • memory/5076-135-0x0000000140000000-0x0000000140370000-memory.dmp

          Filesize

          3.4MB

          Download